Closed Bug 834001 Opened 12 years ago Closed 10 years ago

Add new GeoTrust DSA root

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: rick_andrews, Assigned: kathleen.a.wilson)

References

Details

Attachments

(1 file, 1 obsolete file)

Update of CAInformationTemplate document
35.22 KB, application/octet-stream
Details
Attached file CAInformationTemplate_GeoTrustNew.docx (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Build ID: 20130116073211 Steps to reproduce: I would like to add this new GeoTrust root to Mozilla's trust list: GeoTrust Primary Certification Authority - G4 (SHA256WithDSA) And set the Websites (SSL/TLS), Email (S/MIME), Code Signing and EV trust bits
Added information about external subordinate CA customers.
Attachment #705576 - Attachment is obsolete: true
I apologize for the delay in my response. My work on root inclusion requests was postponed for a while. I am accepting this bug, and will work on it as soon as possible, but I have a large backlog. https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase I will update this bug when I begin the Information Verification phase. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Hi Kathleen, Please let us know the next steps. Regards, Rashmi Tabada
(In reply to Rashmi Tabada from comment #3) > Please let us know the next steps. 1) Provide *public-facing* auditor's statements regarding Symantec's compliance to the Baseline Requirements. https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Baseline_Requirements https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ "6. We require that all CAs whose certificates are distributed with our software products: ... - provide public attestation of their conformance to the stated verification requirements" 2) Respond to BR-Compliance Bugs Bug #1017544 - GeoTrust: Invalid encoding in certificates Bug #1017550 - VeriSign: Invalid encoding in certificates Bug #1037906 - Equifax: Still valid 1024 certificates 3) Provide a concrete plan for *removing* old Symantec roots. There are too many Symantec roots in Mozilla's CA program. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/ search for "(owned by Symantec)" 4) Prioritize Symantec's inclusion requests -- I only have the bandwidth to work on one of these at a time, along with all of my other work. Bug #833974 - VeriSign - EV for included ECC root Bug #833986 - New Symantec branded roots Bug #833996 - Thawte - EV, DSA Bug #833998 - Thawte - EV for included ECC root Bug #834001 - GeoTrust - EV, DSA Bug #834004 - GeoTrust - EV for included ECC root
(In reply to Kathleen Wilson from comment #4) 4) Prioritize Symantec's In priority order for current requests regarding adding/enabling roots.... 1. Bug #833986 - New Symantec branded roots 2. Bug #833974 - VeriSign - EV for included ECC root 3. Bug #833998 - Thawte - EV for included ECC root 4. Bug #834004 - GeoTrust - EV for included ECC root 5. Bug #833996 - Thawte - EV, DSA 6. Bug #834001 - GeoTrust - EV, DSA
We are remove support for DSA/DSS certificates completely from Gecko and mozilla::pkix. Whether or not this certificate should be added should be contingent on the results of bug 1073867 and bug 1107787.
See Also: → 1073867, 1107787
Mozilla does not plan to add DSA support to Mozilla's CA Certificate Policy, so we will not add DSA root certs to NSS. https://groups.google.com/d/msg/mozilla.dev.security.policy/JFmDFlHILOY/KHJzcJezpnQJ
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: